← Back to CVEs

CVE-2024-27296

MEDIUM

5.3

Description

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer.

CVE Details

CVSS v3.1 Score5.3

SeverityMEDIUM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published3/1/2024

Last Modified1/3/2025

Sourcenvd

Honeypot Sightings0

Affected Products

monospace:directus

Weaknesses (CWE)

CWE-200

References

https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0(security-advisories@github.com)

https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j(security-advisories@github.com)

https://github.com/directus/directus/commit/a5a1c26ac48795ed3212a4c51b9523588aff4fa0(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.